rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

trunk: 2 patches from dan.

Browse Source
This commit is contained in:
Chris PeBenito 2008-12-02 22:40:49 +00:00
parent b3eb124654
commit 14c0edc7e9
5 changed files with 144 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
policy/modules/kernel/corecommands.fc
View File

@ -44,6 +44,8 @@ ifdef(`distro_redhat',`
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cron.daily/.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cron.hourly/.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
@ -146,6 +148,8 @@ ifdef(`distro_gentoo',`
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
@ -183,10 +187,8 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)

2
policy/modules/kernel/corecommands.te
View File

@ -1,5 +1,5 @@
policy_module(corecommands, 1.10.0) policy_module(corecommands, 1.10.1)
######################################## ########################################
# #

1
policy/modules/kernel/files.fc
View File

@ -29,6 +29,7 @@ ifdef(`distro_suse',`
/boot -d gen_context(system_u:object_r:boot_t,s0) /boot -d gen_context(system_u:object_r:boot_t,s0)
/boot/.* gen_context(system_u:object_r:boot_t,s0) /boot/.* gen_context(system_u:object_r:boot_t,s0)
/boot/\.journal <<none>> /boot/\.journal <<none>>
/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/boot/lost\+found/.* <<none>> /boot/lost\+found/.* <<none>>
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)

134
policy/modules/kernel/files.if
View File

@ -935,6 +935,32 @@ interface(`files_relabel_all_files',`
seutil_relabelto_bin_policy($1) seutil_relabelto_bin_policy($1)
') ')
########################################
## <summary>
## rw all files on the filesystem, except
## the listed exceptions.
## </summary>
## <param name="domain">
## <summary>
## The type of the domain perfoming this action.
## </summary>
## </param>
## <param name="exception_types" optional="true">
## <summary>
## The types to be excluded. Each type or attribute
## must be negated by the caller.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_rw_all_files',`
gen_require(`
attribute file_type;
')
rw_files_pattern($1, { file_type $2 }, { file_type $2 })
')
######################################## ########################################
## <summary> ## <summary>
## Manage all files on the filesystem, except ## Manage all files on the filesystem, except
@ -2742,6 +2768,24 @@ interface(`files_manage_mnt_files',`
manage_files_pattern($1, mnt_t, mnt_t) manage_files_pattern($1, mnt_t, mnt_t)
') ')
########################################
## <summary>
## read files in /mnt.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_read_mnt_files',`
gen_require(`
type mnt_t;
')
read_files_pattern($1, mnt_t, mnt_t)
')
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete symbolic links in /mnt. ## Create, read, write, and delete symbolic links in /mnt.
@ -3161,6 +3205,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms; dontaudit $1 tmp_t:dir list_dir_perms;
') ')
########################################
## <summary>
## Remove entries from the tmp directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_tmp_dir_entry',`
gen_require(`
type tmp_t;
')
allow $1 tmp_t:dir del_entry_dir_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Read files in the tmp directory (/tmp). ## Read files in the tmp directory (/tmp).
@ -3469,6 +3531,42 @@ interface(`files_dontaudit_rw_usr_dirs',`
dontaudit $1 usr_t:dir rw_dir_perms; dontaudit $1 usr_t:dir rw_dir_perms;
') ')
########################################
## <summary>
## Delete generic directories in /usr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_usr_dirs',`
gen_require(`
type usr_t;
')
allow $1 usr_t:file delete_dir_perms;
')
########################################
## <summary>
## Delete generic files in /usr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_usr_files',`
gen_require(`
type usr_t;
')
allow $1 usr_t:file delete_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Get the attributes of files in /usr. ## Get the attributes of files in /usr.
@ -3527,6 +3625,24 @@ interface(`files_exec_usr_files',`
read_lnk_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t)
') ')
########################################
## <summary>
## dontaudit write of /usr files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_dontaudit_write_usr_files',`
gen_require(`
type usr_t;
')
dontaudit $1 usr_t:file write;
')
######################################## ########################################
## <summary> ## <summary>
## Create, read, write, and delete files in the /usr directory. ## Create, read, write, and delete files in the /usr directory.
@ -4401,6 +4517,24 @@ interface(`files_list_pids',`
list_dirs_pattern($1, var_t, var_run_t) list_dirs_pattern($1, var_t, var_run_t)
') ')
########################################
## <summary>
## Read generic process ID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_read_generic_pids',`
gen_require(`
type var_t, var_run_t;
')
read_files_pattern($1, { var_t var_run_t }, var_run_t)
')
######################################## ########################################
## <summary> ## <summary>
## Create an object in the process ID directory, with a private ## Create an object in the process ID directory, with a private

3
policy/modules/kernel/files.te
View File

@ -1,5 +1,5 @@
policy_module(files, 1.10.0) policy_module(files, 1.10.1)
######################################## ########################################
# #
@ -174,6 +174,7 @@ files_lock_file(var_lock_t)
# #
type var_run_t; type var_run_t;
files_pid_file(var_run_t) files_pid_file(var_run_t)
files_mountpoint(var_run_t)
# #
# var_spool_t is the type of /var/spool # var_spool_t is the type of /var/spool